Thank you Martin. Thank you very much. I'm very glad to be in this audience. My name is V Shapiro. Some of you know who I am.
I'm doing, it's 20 years. I'm doing identity government, identity management, data governance. I'm from Ukraine originally. Thank you for supporting my country. It's always a pleasure. So what we're gonna talk today is forgotten topic. How many of yours are in IAM operations? Raise your hand please. Okay. Actually you all are, you don't really know about it, right? So here's the deal. What am I saying? Is it working by the way? Where should I Sometimes? Hmm? Sometimes. Yeah. We'll try to figure it out. Yeah. Here we go. So this is a news for you. There is no I am operation.
Definition of description on Google. Try to find one.
I, you know, try. Well, in reality it's like, you know, it's talk about I am.
But there is one company called Optiv, which mentioned people, you, you are not mentioned at all, right? Why? Because your organization care about you. Only when something goes what?
Wrong, right? When something goes wrong, they, they, they find you, right? So here's a timeline for something goes wrong, right? Issue reported, issue resolved. And hopefully we will find the cause. How many people find the cause? Yeah. Fuck. So reality of the fact is that unfortunately the only way we know something goes wrong. If what somebody's reporting it, who is reporting it? Two type of people. One person is actual users. When I can't log in, don't have my permission or what I call observers. Observers are audit people. Your logging system, your alarm system, right?
All of those observers. So really this is what we hear, right? But in reality there are much more what's going on here. There's a time called before the issue. Familiar with that time when we're drinking coffee, right? Yeah. And the issue comes up and there is another piece of time called after the issue. Right? After the issue was we fixed the issue. Here's the thing. Why? Because there is an event and that event caused the issue, right? Make sense? Now unfortunately there is a second event which turns B after the issue into guess before another issue. That's right.
Agree. Make sense?
Okay, moving on. I don't have much time today, but I'm not gonna go through the case because they're, no, we don't have much time. But basically you can read it. Everybody familiar with this case?
Approvers, nobody knows where to find. And then we fix it, we find another approver. Great. We put a new system in. Update comes in. And guess what? We have an old approver in, right? I'm not gonna spend a lot of time on this neck and case. Very familiar with a lot of people too. God forbid you change the way you calculate your employee.
Okay? Very familiar story. I don't want to go details. Double trouble meaning two identities for one person problem. Okay? And finally my favorite one, I'm not gonna go through the list of it, I'm just gonna put it together.
You know, basically ID is very simple. We have two types of roles. You love roles, right? One type role is related to title. Another one is related to location. Sometimes we have a little issue called nested groups, which creates the toxic combination. So by the security or removed, what's gonna happen next, you're gonna be provisioned again because according to the rule, dynamically you are assigned to this stuff. But according to rules, you can't, right? What is in common between all three cases. Tell me.
They're all caused by automation, right? We love automation. Why we have a problem.
First of all, we need to do this, right? Second of all, we need to do something about, I tell you something. I'm working in organization when almost 70% of all the tickets we have related to automation, we know how it, so, I mean we can't remove the automation. Why we have this problem. Because we know that we need to have good data. We don't have it. Who owns the data business? Are you ready to stop in front of the business? Say your data suck?
No, I don't wanna do this 'cause I'm gonna put myself in trouble because of this. We are humans. If bot bot will do it for us. I'm telling you bots will. But we are people. So we have to remember that we have psychological things, we have stress, we have safety. I don't wanna be blamed for the problem, right? We also have motivations. What the motivation to report issue is never happened yet. No. Right? And finally we're tired. How many issues we have to handle a day? Terrible number, right? So here's an idea, and this is idea.
I propose already once, and I think you guys can take a look at this. Every time update happens, simulate before you put it into production and run use cases, which you can grab from where? From your ticketing system. Because your ticketing system tell you how many similar events and problems you had before, right?
Results of that goes to the analytics.
You know, the previous person talk about SNT analytics. Guess what Other, other vendors also have analytics. So you look analytical, you find out the reason why it happened. Then you go back and say, oh by the way, this guy manager who's supposed to be approving, he's gone for two months, he's still in the system. What's going on? We have to update it, right? Then you can request an update manual. Automatically it doesn't matter. And guess what you do next? You run it again.
This is why in my opinion, AI ML really makes sense because you can generate those tickets even before those tickets showed up. Agree with me? Good. Moving along. So this is inside of the box. This is within the our system. What we have today. We have our processes, we have our system, we have our approvals, right?
How can we li eliminate and reduce the number of tickets? Guess what? We have to think outside of the box. So I'm just gonna go quick on here.
So what, oops, sorry, it goes back. So basically approval process. Who likes approvals? No one.
Okay, we need to eliminate, minimize them. Moving to business, need access based access. I did it last year. I was talking about that basic idea is very simple. People do not request access for just fun. They usually have a task assigned, which requires you to do this. Today we are managers are doing something like, imagine you're going to IKEA store, you get your box to make a table and there is no instructions inside of it. This is what happened when you assigned a task, right? They say you do. It's like how? Well find out.
You go online, you look at the guy, you get video of the guy with a bunch of tools.
He said with those tools, you can do it really fast. You get all your tools and you realize, well, you need a screwdriver. That's it. Why did I get the other tools? I have no idea, but I'm gonna keep it. Hopefully you don't need a hammer for that, right?
Anyway, so that's a good idea. Defining approval. Simulation is not such a bad idea either, right? Next thing we're fulfillment workflows. Who likes very complex workflows? I'll tell you who. Professional services companies, right? You don't. You are. You are in operations. You wanna simple, right? You wanna simplify as much as you can. Great data validation before fulfilling, right? Please validate the data before go, right? It has to be part of it. And finally, org charts.
Who has, which company has great org charts? I don't know one.
You know, it's probably, and finally we're gonna go to the business policies, please.
Business policy is a big deal. If you really wanna know what the business policy look like and show it to demonstrate to your management, show them tickets. Don't show them processes. Don't explain them.
Oh, for this employment, this thing we need for this workflow. They don't care. Just tell 'em we have thousand tickets created because of bad processes. And the answer will be, how do you know?
Well, we have tools for that. Okay, so basically, again, I'm gonna go through quick, pretty quickly because it's all that. So tools available and tools are possibly available in the future. So when you talk to your vendors who you're serving, look for the following. Look for analyze existing ticket capability. By the way, this is an interesting gap. I don't know out the top of my head.
Good, good, good systems. So anyone with the, you know, entrepreneurial spirit would like to build one.
I would be first one to try, honestly. Now the analyzing workflow automation, missing, incorrect data, missing mismatches, analyze the org chart data. When you analyze this and show it to the business, guess what business is gonna do? They finally have statistics and numbers to go against and find out what is wrong, right? Because they always try to blame technology. We are not want to be blamed.
We say, Hey, we're using what you're having to us. It's a box, right? Where's instructions?
Finally, what I propose kind of a, I don't call it revolutionary, but still in my opinion, business takes entitlement. Want to talk to me after that? I'll talk to you about that more. I did it last year. The presentation about that. The idea is every time we want something, we need a real business task for it, right? In integrate that. Imagine you have ServiceNow.
Task is assigned. There is a prerequisite giving to you. As soon as you get the task assigned, you got it automatically. As soon as your task is finished, you're done. There's a great concept of zero standing privileges.
Basically work like that. You create an Apti account at the beginning, there's nothing assigned to you. You can't do anything with it. As soon as something is assigned to you, certain things added to it, now you can use it, but it's temporarily, it's not forever. As soon as your task is closed, this is gone. You can read more about it, you can talk to Eve, by the way. And the Ian and the SGNL, that's another company is basically doing this. They're doing this. And finally this thing, the last one, which I presented at last year, guys, we are not need. We don't need just entitlement.
It's the whole path.
Because you're using an identity to get in. You're using the devices to get in maybe one, one, right? Maybe your laptop, then another jump server or something like that. And finally you get a target system, which you're hitting. It's a path we need. We don't need just one entitlement. And when we create and assign a path, it we're a much safer world because we know exactly how every step is going and within the path. That's only where your entitlements actually work. Okay? That to me is a critical thing.
If anybody wants to do something like, thank you, we can talk about this. But I think that that's the way it was supposed to go. And it's really goes really well with this, with zero standing privileges. So in my opinion, this is the way to go. And basically, you know, that's a hall of how recommendation you can read about it. So remember about your people, you are important. 60% of budget related to identity governance goes to IAM operations, which means I, I'm seriously talking to psychologists about that. Daniel shores of psychologist is not IGA specialist. Okay? Remember that?
It's a good idea to do the simulations right before you implement. And finally, let's move towards business oriented business need based task-based provisioning, using IDT. You can find me later here. Thank you very much for your attention.
Thank, thank you Vlad, for this entertaining talk. I think we have a little time. Are there any questions from the audience?
If not, I, I think one thing where I maybe slightly disagree with you is, okay, I, I believe it's a very good idea to talk, for instance, as I am department with hr. Because a lot of problems we see arise from the fact that we just don't talk with them. And my experience is the talking sometimes really help to clarify some things. Because very frequently HR doesn't know that you rely on the quality of certain attributes or they feel, hey, it's not my job. And solving these things out also I think is very important. But this is again, I would say people correct talking to each other.
So Vlad, thank you very much for your talk. Thank you. It was super entertaining. Raise your hands please. Again. Thank you guys. Thank you.
